[dns-operations] Signing of the ARPA zone

Matt Larson mlarson at verisign.com
Sun Mar 21 20:48:25 UTC 2010

On Tue, 16 Mar 2010, Chris Thompson wrote:
> On Mar 15 2010, I wrote:
>> The servers that are delivering a signed "arpa" so far have DNSKEY/RRSIG
>> records using algorithm RSASHA1 (5) rather than RSASHA256 (8). Has there
>> been a change of plan in that respect?
> Ah... today they (that's [ghiklm].root-servers.net so far) have switched
> to an RSASHA256-signed version of "arpa".

The initial plans called for signing .arpa with RSASHA1, since the
code point for RSASHA256 hadn't even been assigned by the IETF when
the project started.  The initial .arpa signing infrastructure,
including the zone's securely generated keys, was deployed with
RSASHA1.  The decision to use RSASHA256 came later in the project and
the system was not reconfigured for the new algorithm until after the
deployment had started.  At the time of the algorithm change, the
RSASHA1 trust anchor had not been published, nor had all .arpa servers
started serving the signed zone, so no community of DNSSEC validators
using the RSASHA1 KSK could have formed.  We are pleased that we were
able to deploy .arpa using RSASHA256 as ultimately intended, and so
far with no reported negative impact.


More information about the dns-operations mailing list